<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title></title>
	<link rel="stylesheet" type="text/css" href="http://paranoid.net.cn/semantic.css" >
</head>
<body>
<subsection-title-en>3.7 Address Translation Attacks</subsection-title-en>
<subsection-title-ch>3.7 地址转换攻击</subsection-title-ch>
<p-en>
	§3.5 argues that today's system software is virtually guaranteed to have security vulnerabilities. This suggests that a cautious secure architecture should avoid having the system software in the TCB.
</p-en>
<p-ch>
	§3.5认为，今天的系统软件几乎可以保证存在安全漏洞。这表明，谨慎的安全架构应该避免将系统软件放在TCB中。
</p-ch>
<p-en>
	However, removing the system software from the TCB requires the architecture to provide a method for isolating sensitive application code from the untrusted system software. This is typically accomplished by designing a mechanism for loading application code in isolated containers whose contents can be certified via software attestation (§3.3). One of the more difficult problems these designs face is that application software relies on the memory management services provided by the system software, which is now untrusted.
</p-en>
<p-ch>
	然而，从TCB中移除系统软件需要该架构提供一种方法，将敏感的应用程序代码与不受信任的系统软件隔离开来。这通常是通过设计一种机制来实现的，该机制用于将应用程序代码加载到隔离的容器中，其内容可以通过软件认证（§3.3）。这些设计面临的一个比较困难的问题是，应用软件依赖于系统软件提供的内存管理服务，而系统软件现在是不受信任的。
</p-ch>
<p-en>
	Intel's SGX [14, 139], leaves the system software in charge of setting up the page tables (§2.5) used by address translation, inspired by Bastion [31], but instantiates access checks that prevent the system software from directly accessing the isolated container's memory.
</p-en>
<p-ch>
	英特尔的SGX[14，139]，受Bastion[31]的启发，让系统软件负责设置地址转换所使用的页表(§2.5)，但实例化访问检查，防止系统软件直接访问隔离容器的内存。
</p-ch>
<p-en>
	This section discusses some attacks that become relevant when the application software does not trust the system software, which is in charge of the page tables. Understanding these attacks is a prerequisite to reasoning about the security properties of architectures with this threat model. For example, many of the mechanisms in SGX target a subset of the attacks described here.
</p-en>
<p-ch>
	本节讨论了当应用软件不信任负责页表的系统软件时，一些攻击变得相关。理解这些攻击是推理具有这种威胁模型的架构的安全特性的前提。例如，SGX中的许多机制都针对这里描述的攻击的子集。
</p-ch>
<subsection-title-en>3.7.1 Passive Attacks</subsection-title-en>
<subsection-title-ch>3.7.1 被动攻击</subsection-title-ch>

<p-en>
	System software uses the CPU's address translation feature (§2.5) to implement page swapping, where infrequently used memory pages are evicted from DRAM to a slower storage medium. Page swapping relies the accessed (A) and dirty (D) page table entry attributes (§2.5.3) to identify the DRAM pages to be evicted, and on a page fault handler (§2.8.2) to bring evicted pages back into DRAM when they are accessed.
</p-en>
<p-ch>
	系统软件使用CPU的地址转换功能(§2.5)来实现页面交换，即把不常用的内存页面从DRAM中驱逐到较慢的存储介质中。页面交换依靠accessed (A)和dirty (D)页面表条目属性(§2.5.3)来识别要被驱逐的DRAM页面，并依靠页面故障处理程序(§2.8.2)在访问时将被驱逐的页面带回DRAM。
</p-ch>
<p-en>
	Unfortunately, the features that support efficient page swapping turn into a security liability, when the system software managing the page tables is not trusted by the application software using the page tables. The system software can be prevented from reading the application's memory directly by placing the application in an isolated container. However, potentially malicious system software can still infer partial information about the application's memory access patterns, by observing the application's page faults and page table attributes.
</p-en>
<p-ch>
	不幸的是，当管理页表的系统软件不被使用页表的应用软件信任时，支持高效页交换的功能就会变成安全隐患。通过将应用软件放在一个隔离的容器中，可以防止系统软件直接读取应用软件的内存。但是，潜在的恶意系统软件仍然可以通过观察应用程序的页故障和页表属性，推断出应用程序的部分内存访问模式信息。
</p-ch>
<p-en>
	We consider this class of attacks to be passive attacks that exploit the CPU's address translation feature. It may seem that the page-level memory access patterns provided by these attacks are not very useful. However, [195] describes how this attack can be carried out against Intel's SGX, and implements the attack in a few practical settings. In one scenario, which is particularly concerning for medical image processing, the outline of a JPEG image is inferred while the image is decompressed inside a container protected by SGX's isolation guarantees.
</p-en>
<p-ch>
	我们认为这一类攻击是利用CPU的地址转换功能的被动攻击。看起来，这些攻击提供的页级内存访问模式似乎不是很有用。然而，[195]描述了如何针对英特尔的SGX进行这种攻击，并在一些实际环境中实现了这种攻击。在一个对医学图像处理特别重要的场景中，JPEG图像的轮廓被推断出来，同时图像在SGX的隔离保证保护的容器内被解压。
</p-ch>
<p-en>
	We define active address translation attacks to be the class of attacks where malicious system software modifies the page tables used by an application in a way that breaks the virtual memory abstraction (§2.5). Memory mapping attacks do not include scenarios where the system software breaks the memory abstraction by directly writing to the application's memory pages.
</p-en>
<p-ch>
	我们将主动地址转换攻击定义为恶意系统软件以破坏虚拟内存抽象的方式修改应用程序使用的页表的一类攻击（§2.5）。内存映射攻击不包括系统软件通过直接写入应用程序的内存页来破坏内存抽象的场景。
</p-ch>
<p-en>
	We begin with an example of a straight-forward active attack. In this example, the application inside a protected container performs a security check to decide whether to disclose some sensitive information. Depending on the security check's outcome, the enclave code either calls a errorOut procedure, or a disclose procedure. The simplest version of the attack assumes that each procedure's code starts at a page boundary, and takes up less than a page. These assumptions are relaxed in more complex versions of the attack.
</p-en>
<p-ch>
	我们先来看一个直接的主动攻击的例子。在这个例子中，受保护容器内的应用程序执行安全检查，以决定是否披露一些敏感信息。根据安全检查的结果，飞地代码要么调用错误输出过程，要么调用披露过程。最简单的攻击版本假设每个存储过程的代码都是从一个页面边界开始的，并且占用不到一个页面。在更复杂的攻击版本中，这些假设是放松的。
</p-ch>
<p-en>
	In the most straightforward setting, the malicious system software directly modifies the page tables of the application inside the container, as shown in Figure 54, so the virtual address intended to store the errorOut procedure is actually mapped to a DRAM page that contains the disclose procedure. Without any security measures in place, when the application's code jumps to the virtual address of the errorOut procedure, the CPU will execute the code of the disclose procedure instead.
</p-en>
<p-ch>
	在最直接的设置中，恶意系统软件直接修改了容器内应用程序的页面表，如图54所示，这样打算存储errorOut存储过程的虚拟地址实际上被映射到了包含disclosure存储过程的DRAM页面。在没有任何安全措施的情况下，当应用程序的代码跳转到errorOut存储过程的虚拟地址时，CPU反而会执行披露过程的代码。
</p-ch>
<img src="fig.54.jpg" width="" height="" alt="" />
<p-en>
	Figure 54: An example of an active memory mapping attack. The application's author intends to perform a security check, and only call the procedure that discloses the sensitive information if the check passes. Malicious system software maps the virtual address of the procedure that is called when the check fails, to a DRAM page that contains the disclosing procedure.
</p-en>
<p-ch>
	图54.主动式内存映射攻击的一个例子。主动内存映射攻击的一个例子。应用程序的作者打算执行安全检查，只有在检查通过时才调用披露敏感信息的过程。恶意系统软件将检查失败时调用的程序的虚拟地址映射到包含披露程序的DRAM页。
</p-ch>
<subsection-title-en>3.7.3 Active Attacks Using Page Swapping</subsection-title-en>
<subsection-title-ch>3.7.3 利用页面交换进行主动攻击</subsection-title-ch>

<p-en>
	The most obvious active attacks on memory mapping can be defeated by tracking the correct virtual address for each DRAM page that belongs to a protected container. However, a naive protection measure based on address tracking can be defeated by a more subtle active attack that relies on the architectural support for page swapping. Figure 55 illustrates an attack that does not modify the application's page tables, but produces the same corrupted CPU view of the application as the straight-forward attack described above.
</p-en>
<p-ch>
	对内存映射的最明显的主动攻击可以通过跟踪属于受保护容器的每个DRAM页的正确虚拟地址来击败。然而，基于地址跟踪的天真的保护措施可以被一种更微妙的主动攻击击败，这种攻击依赖于对页面交换的架构支持。图55说明了一种不修改应用程序的页表，但产生与上述直接攻击相同的应用程序的CPU损坏视图的攻击。
</p-ch>
<img src="fig.55.jpg" width="" height="" alt="" />
<p-en>
	Figure 55: An active memory mapping attack where the system software does not modify the page tables. Instead, two pages are evicted from DRAM to a slower storage medium. The malicious system software swaps the two pages' contents then brings them back into DRAM, building the same incorrect page mapping as the direct attack shown in Figure 54. This attack defeats protection measures that rely on tracking the virtual and disk addresses for DRAM pages.
</p-en>
<p-ch>
	图55.主动式内存映射攻击 主动内存映射攻击，系统软件不修改页面表。相反，两个页面从DRAM中被驱逐到一个较慢的存储介质中。恶意的系统软件将这两个页面的内容进行交换，然后将它们带回DRAM中，建立与图54所示的直接攻击相同的错误页面映射。这种攻击击败了依靠跟踪DRAM页面的虚拟和磁盘地址的保护措施。
</p-ch>
<p-en>
	In the swapping attack, malicious system software evicts the pages that contain the errorOut and disclose procedures from DRAM to a slower medium, such as a hard disk. The system software exchanges the hard disk bytes storing the two pages, and then brings the two pages back into DRAM. Remarkably, all the steps taken by this attack are indistinguishable from legitimate page swapping activity, with the exception of the I/O operations that exchange the disk bytes storing evicted pages.
</p-en>
<p-ch>
	在交换攻击中，恶意系统软件将包含错误输出和披露程序的页面从DRAM中驱逐到一个较慢的介质，如硬盘。系统软件将存储这两个页面的硬盘字节进行交换，然后将这两个页面带回DRAM中。值得注意的是，除了交换存储被驱逐页面的磁盘字节的I/O操作外，这种攻击所采取的所有步骤都与合法的页面交换活动无法区分。
</p-ch>
<p-en>
	The subtle attack described in this section can be defeated by cryptographically binding the contents of each page that is evicted from DRAM to the virtual address to which the page should be mapped. The cryptographic primitive (§3.1) used to perform the binding must obviously guarantee integrity. Furthermore, it must also guarantee freshness, in order to foil replay attacks where the system software “undoes” an application's writes by evicting one of its DRAM pages to disk and bringing in an older version of the same page.
</p-en>
<p-ch>
	本节中描述的微妙攻击可以通过将从DRAM中排出的每个页面的内容与应映射到该页面的虚拟地址进行加密绑定来解决。用于执行绑定的加密基元（§3.1）显然必须保证完整性。此外，它还必须保证新鲜度，以防止重放攻击，即系统软件通过将一个DRAM页面驱逐到磁盘上，并引入同一页面的旧版本来 "撤销 "应用程序的写入。
</p-ch>
<subsection-title-en>3.7.4 Active Attacks Based on TLBs</subsection-title-en>
<subsection-title-ch>3.7.4 基于 TLB 的主动攻击</subsection-title-ch>

<p-en>
	Today's multi-core architectures can be subjected to an even more subtle active attack, illustrated in Figure 56, which can bypass any protection measures that solely focus on the integrity of the page tables.
</p-en>
<p-ch>
	今天的多核架构可能会受到更微妙的主动攻击，如图56所示，它可以绕过任何只关注页表完整性的保护措施。
</p-ch>
<img src="fig.56.jpg" width="" height="" alt="" />
<p-en>
	Figure 56: An active memory mapping attack where the system software does not invalidate a core's TLBs when it evicts two pages from DRAM and exchanges their locations when reading them back in. The page tables are updated correctly, but the core with stale TLB entries has the same incorrect view of the protected container's code as in Figure 54.
</p-en>
<p-ch>
	图56.主动式内存映射攻击 主动内存映射攻击，当系统软件从DRAM中取出两个页面，并在读回它们时交换它们的位置时，系统软件并没有使核心的TLB无效。页面表被正确更新，但具有陈旧TLB条目的内核对受保护容器的代码具有与图54中相同的错误视图。
</p-ch>
<p-en>
	For performance reasons, each execution core caches address translation results in its own translation lookaside buffer (TLB, §2.11.5). For simplicity, the TLBs are not covered by the cache coherence protocol that synchronizes data caches across cores. Instead, the system software is responsible for invalidating TLB entries across all the cores when it modifies the page tables.
</p-en>
<p-ch>
	出于性能的考虑，每个执行核都会将地址翻译结果缓存在自己的翻译旁观缓冲区（TLB，§2.11.5）中。为了简单起见，TLB不在缓存一致性协议的覆盖范围内，该协议在各核间同步数据缓存。相反，系统软件在修改页表时，负责使所有内核的TLB条目无效。
</p-ch>
<p-en>
	Malicious system software can take advantage of the design decisions explained above by carrying out the following attack. While the same software used in the previous examples is executing on a core, the system software executes on a different core and evicts the errorOut and disclose pages from DRAM. As in the previous attack, the system software loads the disclose code in the DRAM page that previously held errorOut. In this attack, however, the system software also updates the page tables.
</p-en>
<p-ch>
	恶意系统软件可以利用上面解释的设计决策，进行以下攻击。当前面例子中使用的相同软件在一个核上执行时，系统软件在不同的核上执行，并从DRAM中驱逐错误Out和披露页。与前面的攻击一样，系统软件在之前存放errorOut的DRAM页中加载披露代码。但在这次攻击中，系统软件还更新了页面表。
</p-ch>
<p-en>
	The core where the system software executed sees the code that the application developer intended. Therefore, the attack will pass any security checks that rely upon cryptographic associations between page contents and page table data, as long as the checks are performed by the core used to load pages back into DRAM. However, the core that executes the protected container's code still uses the old page table data, because the system software did not invalidate its TLB entries. Assuming the TLBs are not subjected to any additional security checks, this attack causes the same private information leak as the previous examples.
</p-en>
<p-ch>
	系统软件执行的核心看到的是应用开发者所希望的代码。因此，只要检查是由用于将页面加载回DRAM的核心执行的，攻击就会通过任何依赖页面内容和页表数据之间的加密关联的安全检查。然而，执行受保护容器的代码的核心仍然使用旧的页表数据，因为系统软件没有使其TLB条目无效。假设TLB没有接受任何额外的安全检查，这种攻击会造成与前面例子相同的私人信息泄露。
</p-ch>
<p-en>
	In order to avoid the attack described in this section, the trusted software or hardware that implements protected containers must also ensure that the system software invalidates the relevant TLB entries on all the cores when it evicts a page from a protected container to DRAM.
</p-en>
<p-ch>
	为了避免本节所述的攻击，实现受保护容器的受信任软件或硬件还必须确保系统软件在将页面从受保护容器驱逐到DRAM时，使所有内核上的相关TLB条目无效。
</p-ch>

</body>
</html>	